Patch Tuesday for April 2014 – it’s Goodbye, Farewell and Amen for Windows XP

Patch Tuesday

The date’s been in our diaries since 2007.

But even with seven years to prepare for it, you’ll be forgiven for approaching this month’s Microsoft Patch Tuesday with a bit of a lump in your throat.

It’s the last patch for Windows XP, after 13 years of service, as well as the end of the road for Office 2003 and Exchange 2003, which won’t get updates again.

One burning question over the past two weeks is whether the recently-publicised Rich Text Format (RTF) zero-day in Microsoft Word would be patched.

That’s a vulnerability that can theoretically be exploited on all versions of Word, even on the Mac, by using a booby-trapped RTF file that crashes Word and diverts control into executable code hidden inside the document file itself.

That’s one of the worst sorts of security hole, known as an RCE.

RCE is short for Remote Code Execution, and it generally means that an attacker can send you what is supposed to be a harmless data file, yet use it as a secret delivery mechanism for an executable warhead.

The RTF zero-day is known as CVE-2014-1761, and can even affect you from Outlook.

If Outlook is configured to use Word to to render RTF files, previewing an RTF message could kick off an attack.

The good news is that Bulletin One of Microsoft’s four patches for April 2014 will fix the RTF hole on all supported platforms, including Office 2003.

That detail was confirmed on the Microsoft Security Response Center blog a few days ago:

Click to jump to Microsoft's article...

The update provided through MS14-017 fully addresses the Microsoft Word issue first described in Security Advisory 2953095. This advisory also included a Fix it to disable opening rich-text format (RTF) files within Microsoft Word. Once the security update is applied, you should disable the Fix it to ensure RTF files will again render normally. At this time, we are still only aware of limited, targeted attacks directed at Microsoft Word 2010. The update will fully address all affected versions.

Don’t forget: if you’re an Office for Mac user, the “all affected versions” mentioned above includes you, too.

The RTF patch, unsurprisingly, is rated Critical; so is Bulletin Two, Microsoft’s customary Cumulative Internet Explorer update.

All versions of IE will be getting a patch to fix an RCE hole amongst other things, with the exception of IE 10. (No, we don’t know why both IE 9 and IE 11 have the buggy code, but IE 10 doesn’t.)

The two remaining bulletins are only rated Important, even though they are listed as RCE patches.

One is relevant only to users of Publisher 2003 and Publisher 2007, which we don’t imagine are used by terribly many Naked Security readers.

The other patch applies to all versions of Windows, from XP3 to Windows 8.1, including Windows RT and Server Core installs.

We can’t tell you exactly what type of bug this last Bulletin will fix, and we don’t know why it isn’t considered critical, but we’re going to recommend that you install it immediately anyway, especially on Server Core systems.

The decision to deploy Server Core is usually a security-conscious choice, so fixing any known Remote Code Execution holes as quickly as you can is probably a good match for that attitude.

This will, of course, be the last time you’ll be applying Microsoft patches to your XP systems.

So, if you are are going to be keeping any XP systems alive in the future, why not listen to our End of XP podcast, and take a look at our Eight Tips for improving your XP security situation?

(Audio player above not working for you? Download MP3 or listen on Soundcloud.)